|Publication number||US20070180235 A1|
|Application number||US 11/636,474|
|Publication date||Aug 2, 2007|
|Filing date||Dec 11, 2006|
|Priority date||Dec 15, 2005|
|Also published as||CA2633116A1, CA2633116C, CN101331769A, CN101331769B, DE602006012541D1, EP1798975A1, EP1961224A1, EP1961224B1, US7882350, WO2007068720A1|
|Publication number||11636474, 636474, US 2007/0180235 A1, US 2007/180235 A1, US 20070180235 A1, US 20070180235A1, US 2007180235 A1, US 2007180235A1, US-A1-20070180235, US-A1-2007180235, US2007/0180235A1, US2007/180235A1, US20070180235 A1, US20070180235A1, US2007180235 A1, US2007180235A1|
|Inventors||Thierry Lelegard, Pascal Junod|
|Original Assignee||Nagra France Sas|
|Export Citation||BiBTeX, EndNote, RefMan|
|Referenced by (4), Classifications (15), Legal Events (2)|
|External Links: USPTO, USPTO Assignment, Espacenet|
This application claims benefit of priority under 35 U.S.C. § 119 from European Patent Application No. 05292701.9 filed on Dec. 15, 2005, in the European Patent Office, the disclosure of which is incorporated herein by reference in its entirety.
This invention relates to an encryption and decryption method for conditional access content in which this content is sent in the form of data packets.
This method is applied in particular to Pay-TV, but also to other configurations in which data is sent in an encrypted form. This data could in particular concern financial transactions, software, games or a musical content for example or information such as stock exchange information, weather forecasts or the like.
In a certain number of applications, in particular in the field of the Pay-TV, data that forms a content is sent in the form of data packets. These packets can in particular have a predefined fixed length. These packets are generally broadcast in encrypted form intended for a set of receivers such as decoders.
In parallel to the data packets, decryption information is also broadcast. In particular, this information contains decryption keys or data that allows the determination of the necessary keys. In order to guarantee a certain level of security in the conditional access data systems, it is imperative that the keys are changed after a certain usage or validity period. In practice, in the particular case of Pay-TV, a key could be used to access a television content for a few seconds, or even a few minutes. One of the constraints related to the change of key is the need to associate the correct decryption key with each data packet, otherwise this data is not accessible. However, it is practically impossible to synchronise the data with the decryption information, in particular due to the internal working of the systems.
For this reason, it is necessary to dispose of a mechanism that allows each data packet to be associated with the corresponding decryption key, without having to synchronise these two elements.
According to a known embodiment, the data packets generally contain a marker with a known value that allows the receiver/decoder to locate the start of a packet and to process this packet accordingly.
According to the standards used for the formatting of these packets, the length of a packet is fixed and it is not possible to add supplementary data to that already existing. In particular, this means that when the encryption key of a packet is modified, it is impossible to indicate this key change in the packet, for example by means of key change information. It should be noted that the change of the keys is not synchronized with the packets, in such a way that one key can be used to encrypt and decrypt several packets.
In practice, on reception of a packet, the latter is decrypted with the current key.
It is then verified if the result of the decryption is usable, that is to say if it contains the marker. If this is not the case, the same packet is decrypted with the following key. If the result of this decryption is usable and thus contains the marker, the new key is used for decryption. If the result of this decryption does not contain the marker, an error message is generated.
This embodiment presents an important drawback. In fact, it happens that the decryption of a packet with the current key gives a result containing the marker, even though this packet has been encrypted with a key other than the current key. This result given randomly is produced according to a significant frequency and prevents a user from accessing the contents even if he has the rights.
This invention proposes to avoid this drawback by carrying out a method in which the decryption with one key, of a packet encrypted by a different key never contains the marker. Therefore, it is impossible to confuse two encryption keys and access to the content is thus always assured.
The object of the invention is achieved by an encryption and decryption method for conditional access content, in which said content is broadcast in the form of data packets, the previous packets being encrypted by a first key associated to a first padding value and to a first encrypted padding element and the following packets being encrypted by a second key associated to a second padding value and to a second encrypted padding element, in which at least said first key and said first padding value form a first set of encryption parameters and in which at least said second key and said second padding value form a second set of encryption parameters, this method comprising the following steps:
In a Pay-TV system using the method of the invention, the data packets can be broadcast to a group of receivers, sent in point-to-point form or can be stored on a physical support such as a hard disk for example. The decryption data can also be broadcast, sent point-to-point or stored. Generally, the decryption device inside the receiver or the decoder disposes simultaneously of two pieces of decryption information. When these pieces of information are stored in a memory of the decoder, they are transmitted to the decryption device in such a way that they only dispose of the two pieces of information at the same time, the others remaining stored for subsequent use. If these pieces of information are the decryption keys, it disposes in general of the present key and the following key, that is to say of the key that has served to encrypt the packet during visualisation and the key that has served to encrypt the next packet using a key different from the present key.
Although the data packet, due to its structure and the constraints related to the used standards does not allow the inclusion of key change information, the method of the invention determines for which packet the following key must be used.
In fact, in the invention, while one data packet is accessed, the following packet is decrypted with the current key. In this decrypted packet, it is determined if it contains a marker. If this is not the case, the following key is used to decrypt the data packet. If this following key has been used to encrypt this packet, then this key is used, said key becoming the new current key. Another following key is then loaded.
If the marker is found after the decryption of the packet with the current key, it can be supposed that the current key is that which has been used to encrypt the packet in question. However, in order to avoid this marker from being present randomly even though the following key has been used to encrypt the packet in question, at the moment of encryption, a test is carried out. The aim of this test is to ensure that it is impossible to find the marker after decryption by a certain key of a packet that has been encrypted by another “temporarily adjacent” key, that is to say following or previous.
This cannot be guaranteed by the methodes of the prior art. In fact, as previously indicated, a data packet contains in particular a marker and a useful part, the marker being fixed and the useful part being variable. As this useful part is variable, it is impossible to guarantee that if the packet is encrypted with a key, then this packet is decrypted with another key, the packet obtained does not contain the marker.
In this invention, thanks to the test, it is possible to be sure that if the marker is found in the decrypted packet, then the decryption has been carried out with the correct key.
This invention and its advantages will be better understood with reference to the enclosed drawings and to the detailed description of a particular embodiment, in which:
With reference to
By applying the method of the invention, in a first instance, the marker Mc is extracted from first data packet DP. A block is then formed, called first marking block BM. This marking block includes on one hand the marker Mc and on the other hand a first padding value PAD1. This padding value can be chosen randomly, from a predetermined list or can be constant. The importance of this padding value is described in detail below.
In the method of the invention, generally a block encryption algorithm is used. In this type of algorithm, the size of the used blocks is fixed and can be for example 8 or 16 bytes, although other values are possible. This size is called encryption size hereinafter. The size of the first padding value PAD1 is such that the size of the marking block BM is equal to the encryption size.
The marking block BM is then encrypted with the first encryption key K1 in order to obtain an encrypted marking block BMC. This is cut into two parts, one of the parts having the size of the marker Mc and the other part having the remaining size. The part having the size of the marker has the reference MK1 in
The useful part PL1 contained in the first data packet is encrypted by means of the first encryption key K1, using for example also the block encryption method, in order to obtain the encrypted useful part PL1K1.
The marker Mc of the original packet DP is replaced by the encrypted marking value MK1 obtained in the previous step. Likewise, the useful part PL1 is replaced by the encrypted useful part PL1K1. This new block necessarily has the size of the original block. It is called encrypted data block DBC. It is clear that the encrypted data block does not usually correspond to the data packet DP to which the first encryption key K1 would have been applied.
Another block is also formed, called decryption block DB, comprising at least the first key K1 and the encrypted padding element PADK1.
The encrypted data block DBC and the decryption block DB are processed conventionally for their diffusion, that is to say that the decryption block is generally encrypted by a transmission key TK and formatted in order to be sent in a control message ECM to the concerned receivers. The encrypted data block is also transmitted to these receivers.
As previously indicated, the method of the invention guarantees that a key having served for the encryption of data packets may never be confused with another key having served for another data packet.
With reference to
As indicated with reference to
Then the marking block is encrypted with the first encryption key K1. An encrypted marking block BMC is obtained. This is then separated into two blocks, one containing the encrypted marking value MK1 and the other the encrypted padding element PADK1, as shown in
During this verification step, the marker Mc of a data packet is extracted, then a second padding value PAD2 is added to this marker so as to form a marking block having the size of the data packet. This marking block is encrypted with the second encryption key K2 and forms an encrypted marking block. The latter is cut in such a way as to form a second encrypted marking value MK2 and a second encrypted padding element PADK2. The second encrypted marking value MK2 has the size of the marker and the second encrypted padding element PADK2 represents the balance of the block.
Then a new block is formed, called mixed encrypted marking block BMXC, from the second encrypted marking value MK2 and the first encrypted padding element PADK1. As previously indicated, this first encrypted padding element is already known, since it was formed during a previous step.
This encrypted mixed marking block is decrypted with the key used previously, namely the first encryption key K1. The obtained block is cut so as to form a first part MK* having the length of the marker and a second part PADK* representing the balance of the block. This first part is compared with the marker Mc. If the comparison indicates that these values are different, the method continues as is explained with reference to
On the contrary, if the comparison indicates that the values MK*; Mc are identical, this can occur randomly and can pose problems at the time of the use of the system, it is necessary to change at least one parameter used for the encryption.
During the use of a block encryption algorithm in a method such as that described above, the used parameters are the second padding value PAD2, the second encryption key K2 as well as possibly an initialisation vector. This initialisation vector is well known in itself and is not described in detail below. Its function is in particular explained in “Applied Cryptography” by Bruce Schneier, 2nd edition, §9.3.
When the modified parameter is the padding value, this second padding value PAD2 will be replaced by a new second padding value called PAD2*. If the padding values are determined randomly, it does not pose any problems. If they are chosen from a list, it is sufficient to take another element from the list. If this padding value is fixed, it is necessary for these particular cases to take a padding value different from this fixed value. For this, it is thus necessary to provide the mechanisms that allow the changing of the padding value, even if these values are generally fixed.
When a new second padding value has been determined, it is tested again until a configuration is reached in which the decrypted marking value MK* is different to the marker Mc.
According to one alternative, it is also possible to keep the same padding value and change the key. In fact, it is necessary to change at least one of the values of the above mentioned parameters. It is also possible to change all the values, for example by randomly extracting a new set of used parameters, namely a second padding value, a second key and an initialisation vector.
According to one alternative, shown in
The verification method is carried out as indicated in the previous embodiment until the obtainment of the mixed marking block decrypted by the first encryption key K1. This decrypted mixed marking block is cut into three parts, namely a first part MK* of the size of the marker, an intermediate part PADK* and a third part FK* of the size of the fixed value F2. By knowing the first padding value PAD1, the first fixed value F1 and the first encryption key K1, it is possible to determine the value which must be obtained for the third part FK* of the decrypted mixed marking block, this value being called predictable reference value PDV2. In this embodiment, if the third part FK* is equal to the predictable reference value PDV2, the second fixed value F2 or the key or an initialization vector is changed, until the comparison indicates a difference in values.
This embodiment indicates that it is not necessary to carry out the comparison on an identical value for all the data packets. In fact, it is sufficient to apply this method to known values in clear the processing of which gives a predictable result.
As indicated with reference to
In a first instance, the decoder uses the transmission key TK to extract the decryption block. From the encrypted marking value MK1 and the encrypted padding element PADK1, the encrypted marking block BMC is reconstituted. Thanks to the knowledge of the first key K1, originating from the decryption block, it is possible to decrypt the encrypted marking block and to obtain the marking block.
This marking block is then cut in order to obtain a block having the length of the marker Mc. This block is tested to verify if it is equal to the marker Mc or not.
Based on the hypothesis that the first key K1 for encryption is also that used for decryption, the block obtained previously would also contain the marker Mc. This characteristic actually allows to ensure that the decryption key is also valid for the data packet processed at present.
Thanks to this marker Mc, the original packet can be reconstituted by replacing the encrypted marking value MK1 in the encrypted data block with the marker Mc. In this way the original data packet DP whose useful part PL1K1 is encrypted is obtained. This is then decrypted by means of the first key K1 in order to obtain the useful part PL1 which is then processed conventionally to access the contents required.
The rest of the description concerns the case wherein the encryption key used is a second encryption key K2 and wherein the first encryption key K1 is used to try to access to data. This case is considered below with reference to
As previously indicated, the decoder receives an encrypted data block DBC and a decryption block DB, this decryption block itself being encrypted by the transmission key TK. This block is first decrypted thanks to the known transmission key of the decoder. The decoder can then form, as in
This decoder then deciphers this block with its present key, namely the first encryption key K1. The result is cut to the length of the marker Mc, and then compared to this marker. As the key K2 used for encryption is different from the first key K1 used for decryption, the cut part MK2 of the block will be different from the marker Mc.
Moreover, as indicated with reference to
In this way, the changing of the key will inevitably be detected by the decoder. As the use of the first key. K1 does not give the expected result, namely the marker Mc, the following key is used, namely the second encryption key K2. In this way, one finds itself in the same case as disclosed in
In the above description, it is indicated that the actual decryption device contains two keys, namely the current key and the following key. According to one alternative, it could also contain more, for example 5, registered in a shift register. In this case, when the first key is no longer usable, it is eliminated and the second key takes its place. The 5th key takes the 4th place and a new key is introduced in the 5th position.
The keys used in the present invention can be of symmetrical or asymmetrical type. In the case of a symmetrical key, the same key is used to encrypt as well as to decrypt. In the case of an asymmetrical key, the key used to encrypt data is different from the key allowing them to be decrypted. Therefore, in the above description, when it is indicated that the decryption is carried out with the first key K1 for example, it is necessary to understand that in the case of the use of asymmetric keys, this decryption is carried out with the key of the pair of keys which has not been used for the encryption.
Although it is not explicitly represented in the drawings, when an initialisation vector is used in the field of block encryption, this vector is also transmitted to the decoder in the decryption block so that this vector is also available during decryption.
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7506176||Mar 10, 2008||Mar 17, 2009||International Business Machines Corporation||Encryption mechanism on multi-core processor|
|US8416983||Apr 23, 2010||Apr 9, 2013||The Directv Group, Inc.||Method and apparatus for establishing an accurate low bit time stamp in a remotely created watermark|
|US8611531 *||Apr 23, 2010||Dec 17, 2013||The Directv Group, Inc.||Method and apparatus for remotely inserting watermark into encrypted compressed video bitstream|
|US20110261959 *||Apr 23, 2010||Oct 27, 2011||The Directv Group, Inc.||Method and apparatus for remotely inserting watermark into encrypted compressed video bitstream|
|U.S. Classification||713/160, 348/E07.056|
|International Classification||H04N7/167, H04L9/00|
|Cooperative Classification||H04L9/0618, H04L2209/601, H04L2209/20, H04N21/43853, H04N7/1675, H04N21/23895|
|European Classification||H04N21/2389E, H04N21/4385D, H04L9/06B, H04L9/08, H04N7/167D|
|Dec 11, 2006||AS||Assignment|
Owner name: NAGRA FRANCE SAS, FRANCE
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LELEGARD, THIERRY;JUNOD, PASCAL;REEL/FRAME:018698/0885
Effective date: 20061204
|Jul 24, 2014||FPAY||Fee payment|
Year of fee payment: 4